diff options
| author | Lluís Batlle i Rossell <viric@vicerveza.homeunix.net> | 2012-03-03 16:07:18 +0000 |
|---|---|---|
| committer | Lluís Batlle i Rossell <viric@vicerveza.homeunix.net> | 2012-03-03 16:07:18 +0000 |
| commit | 79d4b11aeb78b5007b3a06425ff3fb8889cd8a96 (patch) | |
| tree | 8ec16cac5d3887dcf7109d97da5349c480b0bc1b /modules/system/boot/luksroot.nix | |
| parent | 1b65b427c36678aa4f9e3931ffa2be50b8526810 (diff) | |
| download | nixpkgs-79d4b11aeb78b5007b3a06425ff3fb8889cd8a96.tar nixpkgs-79d4b11aeb78b5007b3a06425ff3fb8889cd8a96.tar.gz nixpkgs-79d4b11aeb78b5007b3a06425ff3fb8889cd8a96.tar.bz2 nixpkgs-79d4b11aeb78b5007b3a06425ff3fb8889cd8a96.tar.lz nixpkgs-79d4b11aeb78b5007b3a06425ff3fb8889cd8a96.tar.xz nixpkgs-79d4b11aeb78b5007b3a06425ff3fb8889cd8a96.tar.zst nixpkgs-79d4b11aeb78b5007b3a06425ff3fb8889cd8a96.zip | |
Making the luks thing of initrd a bit more flexible. I used it to get a
ciphered swap, where I could hibernate ciphered. svn path=/nixos/trunk/; revision=32754
Diffstat (limited to 'modules/system/boot/luksroot.nix')
| -rw-r--r-- | modules/system/boot/luksroot.nix | 65 |
1 files changed, 37 insertions, 28 deletions
diff --git a/modules/system/boot/luksroot.nix b/modules/system/boot/luksroot.nix index 3781e6b13b9..098641b6cb6 100644 --- a/modules/system/boot/luksroot.nix +++ b/modules/system/boot/luksroot.nix @@ -3,30 +3,56 @@ with pkgs.lib; let - luksRoot = config.boot.initrd.luksRoot; + luks = config.boot.initrd.luks; + + openCommand = { name, device }: '' + # Wait for luksRoot to appear, e.g. if on a usb drive. + # XXX: copied and adapted from stage-1-init.sh - should be + # available as a function. + if ! test -e ${device}; then + echo -n "waiting 10 seconds for device ${device} to appear..." + for ((try = 0; try < 10; try++)); do + sleep 1 + if test -e ${device}; then break; fi + echo -n "OK" + done + echo "ok" + fi + + # open luksRoot and scan for logical volumes + cryptsetup luksOpen ${device} ${name} + ''; + in { options = { + boot.initrd.luks.enable = mkOption { + default = false; + description = ''; + Have luks in the initrd. + ''; + }; - boot.initrd.luksRoot = mkOption { - default = ""; - example = "/dev/sda3"; + boot.initrd.luks.devices = mkOption { + default = [ ]; + example = [ { name = "luksroot"; device = "/dev/sda3"; } ]; description = ''; - The device that should be decrypted using LUKS before trying to mount the + The list of devices that should be decrypted using LUKS before trying to mount the root partition. This works for both LVM-over-LUKS and LUKS-over-LVM setups. - Make sure that initrd has the crypto modules needed for decryption. + The devices are decrypted to the device mapper names defined. - The decrypted device name is /dev/mapper/luksroot. + Make sure that initrd has the crypto modules needed for decryption. ''; }; - }; + config = mkIf luks.enable { - - config = mkIf (luksRoot != "") { + # Some modules that may be needed for mounting anything ciphered + boot.initrd.kernelModules = [ "aes_generic" "aes_x86_64" "dm_mod" "dm_crypt" + "sha256_generic" "cbc" "cryptd" ]; # copy the cryptsetup binary and it's dependencies boot.initrd.extraUtilsCommands = '' @@ -42,23 +68,6 @@ in $out/bin/cryptsetup --version ''; - boot.initrd.preLVMCommands = '' - # Wait for luksRoot to appear, e.g. if on a usb drive. - # XXX: copied and adapted from stage-1-init.sh - should be - # available as a function. - if ! test -e ${luksRoot}; then - echo -n "waiting for device ${luksRoot} to appear..." - for ((try = 0; try < 10; try++)); do - sleep 1 - if test -e ${luksRoot}; then break; fi - echo -n "." - done - echo "ok" - fi - # open luksRoot and scan for logical volumes - cryptsetup luksOpen ${luksRoot} luksroot - ''; - + boot.initrd.preLVMCommands = concatMapStrings openCommand luks.devices; }; - } |